Creating Servers and Workstations in a Delegated OU

Pre-allocating Computers

Administrators of Orgnanizational Units (OUs) must "pre-allocate" computer objects within their OU before attempting to join that computer to the domain.

Pre-allocating a computer object is a simple process and can be accomplished either via the "Users and Computers" snap-in or programmatically via an ADSI script.

Using the Users and Computers snap-in:

  1. Right-click for a context menu within the designated OU, then choose New > Computer.
  2. In the New Object - Computer dialog box, fill in the appropriate information:
    • Computer Name
    • Computer Name (pre-Windows 2000)
    • User or Group
    • Check-box to allow "pre-Windows 2000" clients to join the Windows domain
      New Object - Computer

Computer Names

The "Computer Name" and "Pre-Windows 2000 Computer Name" need to be unique within the Windows domain. Therefore we require a naming standard for computer names. Please refer to the U-M Windows naming standards page.

The U-M standard for creating a Windows computer name specifies that each organization must prefix their computer names with a unique string of two or more characters, followed by a dash. In practice, a 2- or 3-character prefix is best, since it leaves more room for a unique suffix string. In the example above, the organizational prefix is "LNG-". The suffix might be a U-M asset code, followed by a location code. The suffix used is entirely up to the organization creating the computer object. See U-M Windows Organization Prefixes for a list of existing prefixes or to search for a particular departments prefix.

Joining Group

Fortunately, not every computer in the world can join our domain. The individual attempting to join a computer to a Windows domain must either be personally authorized to do so, or must possess the credentials of an authorized Windows account. In pre-allocating the Windows computer object, the Windows administrator should specify a Windows security group containing some number of Windows accounts that are authorized to create computer objects within the delegated OU. If you choose to create a security group for this purpose, please read the Naming Standards for the U-M Windows Forest section when choosing a name for the security group.

Registering a Computer Prefix

Typically, a U-M organization will choose a computer prefix when joining the forest. If you are already a member of the U-M forest, and would like to register another prefix, please send your request to the ITS Service Center. Existing prefixes are listed in the U-M Windows Organizational Prefixes, so be sure to look there before submitting a request. Prefixes are handed out on a "first-come, first-served" basis.

Last Updated: 
Tuesday, February 12, 2019